Lock function of security-related system values
Most security system values can be altered only by a user with Security administrator (*SECADM) and All object (*ALLOBJ) special authorities. To prevent even these users from changing these system values during normal operation, system service tools (SST) and dedicated service tools (DST) provide an option to lock these security values.
Only some system values can be locked.
The default value is Yes; therefore, users can change security-related system values.
The following table identifies the system values that are affected by this option. Both the IBM® Navigator for i name and the character-based name are specified.
| System value category / name | Name in the character-based interface |
| Auditing system values | |
| Activate action auditing | QAUDLVL
QAUDLVL2 |
| Activate object auditing | QAUDCTL |
| Audit journal error action | QAUDENDACN |
| Default auditing for newly created objects | QCRTOBJAUD |
| Maximum number of journal entries in auxiliary storage | QAUDFRCLVL |
| Device system values | |
| Action to take when a device error occurs | QDEVRCYACN |
| Local controllers and devices | QAUTOCFG |
| Pass-through devices and Telnet | QAUTOVRT |
| Remote controllers and devices | QAUTORMT |
| Jobs system values | |
| Allow jobs to be interrupted | QALWJOBITP |
| Time-out interval | QDSCJOBITV |
| When job reaches time-out | QINACTMSGQ |
| Password system values | |
| Maximum password length | QPWDMAXLEN |
| Minimum password length | QPWDMINLEN |
| Minimum time between password changes | QPWDCHGBLK |
| Password expiration | QPWDEXPITV |
| Password expiration warning interval | QPWDEXPWRN |
| Password level | QPWDLVL |
| Password reuse cycle | QPWDRQDDIF |
| Password rules | QPWDRULES |
| Password validation program | QPWDVLDPGM |
| Require a new character in each position | QPWDPOSDIF |
| Require at least one digit | QPWDRQDDGT |
| Restrict repeating characters | QPWDLMTREP |
| Restricted characters | QPWDLMTCHR |
| Restrict consecutive digits | QPWDLMTAJC |
| Messages and service system values | |
| Allow remote service of system | QRMTSRVATR |
| Save and restore system values | |
| Allow restore of security sensitive objects | QALWOBJRST |
| Convert objects during restore | QFRCCVNRST |
| Verify object signatures on restore | QVFYOBJRST |
| Security system values | |
| Allow server security information to be retained | QRETSVRSEC |
| Allow these objects in | QALWUSRDMN |
| Allow use of shared or mapped memory with write capability | QSHRMEMCTL |
| Default authority for newly created objects in QSYS.LIB file system | QCRTAUT |
| Scan control | QSCANFSCTL |
| Security level | QSECURITY |
| Secure Sockets Layer cipher control | QSSLCSLCTL |
| Secure Sockets Layer cipher specification list | QSSLCSL |
| Secure Sockets Layer protocols | QSSLPCL |
| Use registered exit programs to scan the root (/), QOpenSys, and user-defined file systems | QSCANFS |
| Users who can work with programs with adopted authority | QUSEADPAUT |
| Sign-on system values | |
| Display sign-on information | QDSPSGNINF |
| Incorrect sign-on attempts | QMAXSIGN |
| Maximum number of device sessions a user can have | QLMTDEVSSN |
| Remote sign-on | QRMTSIGN |
| Restrict privileged users to specific device session | QLMTSECOFR |
| When maximum is reached | QMAXSGNACN |
If you specify No for Allow security-related system values changes, users cannot change security-related system values. If you need to change a security-related system value, the Allow security-related system values changes parameter must be changed to Yes in SST.
If you specify Yes for Allow security-related system values changes, users with the required authorities can change security-related system values. Even though the security-related system values are unlocked, you still need Security administrator (*SECADM) and All object (*ALLOBJ) special authorities to change them. If you do not want to allow users to change a security-related system value, the Allow security-related system values changes parameter must be changed to No in SST.